OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17
Hi everyone, hope you are all safe and well.
This morning I checked out the logs for Fail2Ban and saw nothing like what I would expect.
Usually the logs look like this
2021-10-12 05:57:02,294 fail2ban.filter [6801]: INFO [postfix-sasl] Found 136.144.41.87 - 2021-10-12 05:57:02
2021-10-12 05:57:12,284 fail2ban.filter [6801]: INFO [postfix-sasl] Found 195.133.40.83 - 2021-10-12 05:57:12
2021-10-12 05:59:38,219 fail2ban.filter [6801]: INFO [postfix-sasl] Found 37.0.11.114 - 2021-10-12 05:59:38
2021-10-12 06:00:05,217 fail2ban.filter [6801]: INFO [sshd] Found 212.193.30.32 - 2021-10-12 06:00:05
2021-10-12 06:00:07,411 fail2ban.filter [6801]: INFO [sshd] Found 212.193.30.32 - 2021-10-12 06:00:07
2021-10-12 06:01:05,482 fail2ban.filter [6801]: INFO [postfix-sasl] Found 31.210.21.220 - 2021-10-12 06:01:05
2021-10-12 06:01:43,743 fail2ban.filter [6801]: INFO [postfix-sasl] Found 203.159.80.60 - 2021-10-12 06:01:43
2021-10-12 06:04:35,648 fail2ban.filter [6801]: INFO [postfix-sasl] Found 37.0.10.49 - 2021-10-12 06:04:35
2021-10-12 06:04:48,863 fail2ban.actions [6801]: NOTICE [sshd] Unban 212.193.30.101
But I also see this and loads of it
Oct 12 06:56:27 xvm136595 kernel: Linux version 4.18.13-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)) #1 SMP Wed Oct 10 15:37:55 EDT 2018
Oct 12 06:56:27 xvm136595 kernel: Command line: root=/dev/xvda ro selinux=0 console=tty1 console=hvc0
Oct 12 06:56:27 xvm136595 kernel: x86/fpu: Supporting XSAVE feature 0x001: ‘x87 floating point registers’
Oct 12 06:56:27 xvm136595 kernel: x86/fpu: Supporting XSAVE feature 0x002: ‘SSE registers’
Oct 12 06:56:27 xvm136595 kernel: x86/fpu: Supporting XSAVE feature 0x004: ‘AVX registers’
Oct 12 06:56:27 xvm136595 kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Oct 12 06:56:27 xvm136595 kernel: x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using ‘standard’ format.
Oct 12 06:56:27 xvm136595 kernel: BIOS-provided physical RAM map:
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009ffff] usable
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000fbffffff] usable
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x00000000fc000000-0x00000000fc00903f] ACPI data
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x00000000feff8000-0x00000000feffffff] reserved
Oct 12 06:56:27 xvm136595 kernel: BIOS-e820: [mem 0x0000000100000000-0x00000001040003ff] usable
Oct 12 06:56:27 xvm136595 kernel: NX (Execute Disable) protection: active
Oct 12 06:56:27 xvm136595 kernel: DMI not present or invalid.
and
Oct 12 06:56:31 xvm136595 systemd: Closed udev Control Socket.
Oct 12 06:56:31 xvm136595 systemd: Stopping udev Control Socket.
Oct 12 06:56:31 xvm136595 systemd: Closed udev Kernel Socket.
Oct 12 06:56:31 xvm136595 systemd: Stopping udev Kernel Socket.
Oct 12 06:56:31 xvm136595 systemd: Starting Cleanup udevd DB…
Oct 12 06:56:31 xvm136595 systemd: Started Cleanup udevd DB.
Oct 12 06:56:31 xvm136595 systemd: Reached target Switch Root.
Oct 12 06:56:31 xvm136595 systemd: Starting Switch Root.
Oct 12 06:56:31 xvm136595 systemd: Starting Switch Root…
Oct 12 06:56:31 xvm136595 systemd: Switching root.
Oct 12 06:56:31 xvm136595 journal: Journal stopped
Oct 12 06:56:32 xvm136595 journal: Runtime journal is using 8.0M (max allowed 165.9M, trying to leave 248.8M free of 1.6G available → current limit 165.9M).
Oct 12 06:56:32 xvm136595 systemd-journald[349]: Received SIGTERM from PID 1 (systemd).
Oct 12 06:56:32 xvm136595 kernel: systemd: 30 output lines suppressed due to ratelimiting
Oct 12 06:56:32 xvm136595 systemd[1]: Inserted module ‘ip_tables’
Oct 12 06:56:32 xvm136595 journal: Journal started
and
Oct 12 08:28:19 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#49193: received notify for zone ‘localhost’
Oct 12 08:28:19 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#34998: received notify for zone ‘1.0.0.127.in-addr.arpa’
Oct 12 08:28:19 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#34998: received notify for zone ‘0.in-addr.arpa’
Oct 12 08:28:19 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#34998: received notify for zone ‘localhost.localdomain’
Oct 12 08:28:19 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#34998: received notify for zone ‘1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa’
Oct 12 08:28:22 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#37515: received notify for zone ‘localhost.localdomain’
Oct 12 08:28:23 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#43576: received notify for zone ‘localhost’
Oct 12 08:28:23 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#43576: received notify for zone ‘1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa’
Oct 12 08:28:23 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#43576: received notify for zone ‘1.0.0.127.in-addr.arpa’
Oct 12 08:28:23 xvm136595 named[15268]: client @0x7f4f1c0c6370 85.234.151.55#43576: received notify for zone ‘0.in-addr.arpa’
O
The above are just a few snips of the log and there is much much more.
This server is acting as a slave nameserver ONLY no sites are hosted on it.
I’m not suggesting that I want the lines analysed just should these lines be in the fail2ban logs?
I have thought that these logs should not be in the fail2ban log but elsewhere so I have dug around looking for some clue like the wrong log specified somewhere but could find nothing that looked hinkey or out of place. Can anybody confirm that the above are expected or otherwise please.
Edited to add - This looks like it started yesterday (server up and running for about 2 weeks) and may have followed a reboot but not certain of that.
Further edit to add - I see the following sample lines in the logs
/var/log/maillog
Oct 14 07:08:43 xvm136595 postfix/smtpd[31629]: warning: unknown[31.210.20.48]: SASL LOGIN authentication failed: authentication failure
/var/log/fail2ban.log
Oct 14 07:08:43 xvm136595 postfix/smtpd[31629]: warning: unknown[31.210.20.48]: SASL LOGIN authentication failed: authentication failure
Thanks for reading.